Analysis
-
max time kernel
150s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
-
submitted
27/07/2024, 04:10
General
-
Target
2024-07-27_f5f18fd0f613354ebb56e3a2ea6ae164_goldeneye.exe
-
Size
204KB
-
MD5
f5f18fd0f613354ebb56e3a2ea6ae164
-
SHA1
453fdfcfbde2b059c3395635ffe5753ad2912046
-
SHA256
b2abf6f8e5017baf0ed915c5da53a52229731f3dd2c68d14d9f0a50014893aee
-
SHA512
d7149219dee1c19019aa7f7064616a74acdb79d038cc9dd14fbb3259bb61876c6c6f8010459a5c3fe8e29f49ebb38b9ed61edb05f7493b9870aa0e99a87be211
-
SSDEEP
1536:1EGh0o61l15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oSl1OPOe2MUVg3Ve+rXfMUy
Malware Config
Signatures
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Executes dropped EXE 12 IoCs
-
Drops file in Windows directory 12 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 24 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-07-27_f5f18fd0f613354ebb56e3a2ea6ae164_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-07-27_f5f18fd0f613354ebb56e3a2ea6ae164_goldeneye.exe"1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{EFA8356C-CF31-42ec-8ED5-89926B1E484A}.exeC:\Windows\{EFA8356C-CF31-42ec-8ED5-89926B1E484A}.exe2⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{F2588F8D-6EB1-4f89-BE4A-CA5BDD9EAB96}.exeC:\Windows\{F2588F8D-6EB1-4f89-BE4A-CA5BDD9EAB96}.exe3⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{FCD3C16C-372A-487f-A8A7-CDE0847EAFAE}.exeC:\Windows\{FCD3C16C-372A-487f-A8A7-CDE0847EAFAE}.exe4⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{8B379663-4ADB-439f-8C26-4E8D8798C2D8}.exeC:\Windows\{8B379663-4ADB-439f-8C26-4E8D8798C2D8}.exe5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{07792A8F-1A82-4710-838D-46853ADDC640}.exeC:\Windows\{07792A8F-1A82-4710-838D-46853ADDC640}.exe6⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{265A65BD-E39A-4f8a-88E4-D7894E0AE34E}.exeC:\Windows\{265A65BD-E39A-4f8a-88E4-D7894E0AE34E}.exe7⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{4769CA22-92E4-4f23-8F82-6EC6FAFB1DDF}.exeC:\Windows\{4769CA22-92E4-4f23-8F82-6EC6FAFB1DDF}.exe8⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{B15E654B-5450-461f-8616-2523FF6398EF}.exeC:\Windows\{B15E654B-5450-461f-8616-2523FF6398EF}.exe9⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{DC37201C-9DB7-494c-9DBE-61E67045B7E7}.exeC:\Windows\{DC37201C-9DB7-494c-9DBE-61E67045B7E7}.exe10⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{C6B150DF-09B3-4893-8973-A71CBF39C17E}.exeC:\Windows\{C6B150DF-09B3-4893-8973-A71CBF39C17E}.exe11⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{1EC965C1-1C70-496f-A01F-7B27CDADC05A}.exeC:\Windows\{1EC965C1-1C70-496f-A01F-7B27CDADC05A}.exe12⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{F346E382-B092-42a1-B513-E44C330F140E}.exeC:\Windows\{F346E382-B092-42a1-B513-E44C330F140E}.exe13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{1EC96~1.EXE > nul13⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{C6B15~1.EXE > nul12⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{DC372~1.EXE > nul11⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{B15E6~1.EXE > nul10⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{4769C~1.EXE > nul9⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{265A6~1.EXE > nul8⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{07792~1.EXE > nul7⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{8B379~1.EXE > nul6⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{FCD3C~1.EXE > nul5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F2588~1.EXE > nul4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{EFA83~1.EXE > nul3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
204KB
MD54ffe4c3a51b91894cc87a2a83355a16b
SHA17e1f36bb01eca4c6c4e09d7082d45857a56b38d8
SHA2567e923e87fb484d5eec28adcf7a715d0248b8f27bf4a1f4d8736662b7be07ddaf
SHA5126b3f91ca1308baca24dc0f713ee8ddea44cc55a00d2e9d8cb2ede12b1f115828bcc67803e462d784928ec28790003d1fdd6c1aee5dc4555407d7866e4d8bb7d6
-
Filesize
204KB
MD56cbaa96578800278a0d98df24266d912
SHA1ecde1d6b5242e87c903b3e6a2555fa2584acc7cb
SHA256987ac7c5cc8bfb45a4753b3b6ce8f6947ec52fa704b06938e15e7e8a830a2753
SHA512e46a777a90a1ae48eab0176ddc6a0838e5efb00252296e9340024bcb1e571f23b3978fedc1f4bf033ab2901b12c50dc050820425e972cf54ee66c874d0850a1e
-
Filesize
204KB
MD52c1020dfe59492d03f2dfb23ed739b35
SHA17d1e88c79a7505e08b0454c8ab9d0f37bd440ac1
SHA2563c9f942b849a86886cfc35e36d82bdd7a921e4fd40ab476914f37be5b5a770aa
SHA512fe1ccb5beb091c0e12422e0cf30ed13e1ad5ea53eb6677506ce35dce23ccba7fc3f275762f0bec4d5d4cb3cc3fb5f5626248e98ab22a6870ae6a21ddb1488e91
-
Filesize
204KB
MD512858534c367bef1b6b6ead03fba22a0
SHA189a5032e60e2fd53f4916cada4bae7674c4d0178
SHA2564008cc93745d006ce6ca339a98085a45056f59b0d82bdc5ee0a3f73a173400dd
SHA512d2efefbdf3de361b518e9b96643c422311c48990c126039a2834c838a85d40f404f45354608e514bf64fd255bd7281713b7debaab75588f11d31897fa52a8bff
-
Filesize
204KB
MD513904e590e918798ec883e566a9132b7
SHA1c65a7a6ade4ae5cd2c6d3c1fe329b5d9f8874753
SHA25684c0bdd8556cdb57ee3aa5d0f55265f29c822c8b0a760e0b84006998377e211a
SHA512a072e52dfca4f79d798c4270eddabde9e6d0f99fbcafa92b8734a540654f73db4ccfaa2870b39da521fce361b1051068eb94feebec8fc31fc269c171d2c249ed
-
Filesize
204KB
MD586f4d5de1d8cc60ba2cc868e32fe245b
SHA1609c53e821b884756e48b4e83e144bbaa11e9404
SHA2562759e40af614cf25c23041db2bbad023f87a1e83ce5e8070a4f12fe2a33aabd0
SHA5122545ebfd297d884bfe58aec0b2c89b360843b48e49b9ad3f646560a2457df15654131aa91f87fb63ee1a5f514d3d08771de01b58f658d3f95a6dca43287445e7
-
Filesize
204KB
MD546784130ccdea10c6c266a5281de3df8
SHA15b6dcbfce0cfa5c2a5e3138de66ae27a9d91e30b
SHA256fcf4d04675a87e1a0deb4d2e8bc52c7b8eb4a0de10262280dff32dd7e457a2d0
SHA512843b5cc28f18346047d10b1cc91799960135a58397658309185838f0ae5006864e693ae894bc36264b2daa74fd51970940eb483c8e6818518104726431f938f6
-
Filesize
204KB
MD506a9dba181ce87d12eaaf758977c5f3a
SHA180aa64e1a456d7eb041f002b2c39bd95bc03dd34
SHA25629142000bd4062131626d5a1b02db2bbb4ca184ade020e74ba98f714b90002d9
SHA51245da357be50dd5d43a606f1c414ad1b4bf91fa6fe78ecbdf0d6b0b1f75231b4202ce8f908f5cece6fcca18fb0568f0fae6c4898287aac4543544e2d4eab49890
-
Filesize
204KB
MD59c7eec8252a823241c46579251eb3b36
SHA11c9b13ba4603e83cab831b365079b4ab46a8a0a3
SHA256d89d76d7bbcc2dbd65c64ec05ccd0dedb8bf3d237b1fe8e918cb3109256b50b8
SHA5125fd26eaa578e7a83ac7a6a16d635cb7efdbd4f3b4b87f417ba42813c403a205d68408ff61edd568c23caa0b7143a9b85f7151d52a9849639bc0044c5cb7a77b9
-
Filesize
204KB
MD5fa2786566d199a098da566b5a729905e
SHA193828f2ffc0c3506a0b355c9535b4ec529d86480
SHA2564b387b4752083fd08887727676df9f7eee75ef8687fd77a8ae37bc28680eaaa3
SHA512023afbfe43cceceedde634b2bcee113d590eaec72c3d7bacfa6e006f76500b5e6fe3fc7fd903b7d808210cf88c57270f2f811200bdc8e402f3d4904144e0113f
-
Filesize
204KB
MD5fcb8935d4e559fd3bd4e8609e0e1beb2
SHA1d58947b8fe325457bd67ce82122092bbdb1b3328
SHA25621fc6f133877ccd134ad7004f506cf1395bc25bc27adcc5b99485bba415365c2
SHA5121fd2bb0b807b112ca9c560a80695ad67e8a7a4d01567b0c49dc53df14b4c5589f7649c944bedfa853be427c58681598ba7835c19a642ed049caa48c664ca0891
-
Filesize
204KB
MD565b33163829b2e522efa4a92d2338b8c
SHA11497e1d726d42977eda99af7b092cde440c483ce
SHA256331b2467328a319ac838d836127319351ba179a188843c71da46e829e79e1d06
SHA512db35e8251b1eedb956a7f66124ea4f5d1ef96519afb5f05244ca02cfe95090b0881accf80f64b4ec6774092fb941fbc1fd740dc5d018e4485436724397ac72e1